Self-pairings on supersingular elliptic curves with embedding degree threethree

Self-pairings are a special subclass of pairings and have interesting applications in cryptographic schemes and protocols. In this paper, we explore the computation of the self-pairings on supersingular elliptic curves with embedding degree $k = 3$. We construct a novel self-pairing which has the same Miller loop as the Eta/Ate pairing. However, the proposed self-pairing has a simple final exponentiation. Our results suggest that the proposed self-pairings are more efficient than the other ones on the corresponding curves. We compare the efficiency of self-pairing computations on different curves over large characteristic and estimate that the proposed self-pairings on curves with $k=3$ require $44\%$ less field multiplications than the fastest ones on curves with $k=2$ at AES 80-bit security level

Easy decision-Diffie-Hellman groups

The decision-Diffie-Hellman problem (DDH) is a central computational problem in cryptography. It is known that the Weil and Tate pairings can be used to solve many DDH problems on elliptic curves. Distortion maps are an important tool for solving DDH problems using pairings and it is known that distortion maps exist for all supersingular elliptic curves. We present an algorithm to construct suitable distortion maps. The algorithm is efficient on the curves usable in practice, and hence all DDH problems on these curves are easy. We also discuss the issue of which DDH problems on ordinary curves are easy

Still Wrong Use of Pairings in Cryptography

Several pairing-based cryptographic protocols are recently proposed with a wide variety of new novel applications including the ones in emerging technologies like cloud computing, internet of things (IoT), e-health systems and wearable technologies. There have been however a wide range of incorrect use of these primitives. The paper of Galbraith, Paterson, and Smart (2006) pointed out most of the issues related to the incorrect use of pairing-based cryptography. However, we noticed that some recently proposed applications still do not use these primitives correctly. This leads to unrealizable, insecure or too inefficient designs of pairing-based protocols. We observed that one reason is not being aware of the recent advancements on solving the discrete logarithm problems in some groups. The main purpose of this article is to give an understandable, informative, and the most up-to-date criteria for the correct use of pairing-based cryptography. We thereby deliberately avoid most of the technical details and rather give special emphasis on the importance of the correct use of bilinear maps by realizing secure cryptographic protocols. We list a collection of some recent papers having wrong security assumptions or realizability/efficiency issues. Finally, we give a compact and an up-to-date recipe of the correct use of pairings.Comment: 25 page

Pairing computation on hyperelliptic curves of genus 2

Bilinear pairings have been recently used to construct cryptographic schemes with new and novel properties, the most celebrated example being the Identity Based Encryption scheme of Boneh and Franklin. As pairing computation is generally the most computationally intensive part of any painng-based cryptosystem, it is essential to investigate new ways in which to compute pairings efficiently. The vast majority of the literature on pairing computation focuscs solely on using elliptic curves. In this thesis we investigate pairing computation on supersingular hyperelliptic curves of genus 2 Our aim is to provide a practical alternative to using elliptic curves for pairing based cryptography. Specifically, we illustrate how to implement pairings efficiently using genus 2 curves, and how to attain performance comparable to using elliptic curves. We show that pairing computation on genus 2 curves over F2m can outperform elliptic curves by using a new variant of the Tate pairing, called the r¡j pairing, to compute the fastest pairing implementation in the literature to date We also show for the first time how the final exponentiation required to compute the Tate pairing can be avoided for certain hyperelliptic curves. We investigate pairing computation using genus 2 curves over large prime fields, and detail various techniques that lead to an efficient implementation, thus showing that these curves are a viable candidate for practical use

Faster Computation of Self-pairings

Self-pairings have found interesting applications in cryptographic schemes. In this paper, we present a novel method for constructing a self-pairing on supersingular elliptic curves with even embedding degrees, which we call the Ateil pairing. This new pairing improves the efficiency of the self-pairing computation on supersingular curves over finite fields with large characteristics. Based on the $\eta_T$ pairing, we propose a generalization of the Ateil pairing, which we call the Ateil$_i$ pairing. The optimal Ateil$_i$ pairing which has the shortest Miller loop is faster than previously known self-pairings on supersingular elliptic curves over finite fields with small characteristics. We also present a new self-pairing based on the Weil pairing which is faster than the self-pairing based on the Tate pairing on ordinary elliptic curves with embedding degree $one$

Elliptic curves with j = 0, 1728 and low embedding degree

Elliptic curves over a finite field Fq with j-invariant 0 or 1728, both supersingular and ordinary, whose embedding degree k is low are studied. In the ordinary case we give conditions characterizing such elliptic curves with fixed embedding degree with respect to a subgroup of prime order . For k = 1, 2, these conditions give parameterizations of q in terms of and two integers m, n. We show several examples of families with infinitely many curves. Similar parameterizations for k ? 3 need a fixed kth root of the unity in the underlying field. Moreover, when the elliptic curve admits distortion maps, an example is provided

Group Selection and Key Management Strategies for Ciphertext-Policy Attribute-Based Encryption

Ciphertext-Policy Attribute-Based Encryption (CPABE) was introduced by Bethencourt, Sahai, and Waters, as an improvement of Identity Based Encryption, allowing fine grained control of access to encrypted files by restricting access to only users whose attributes match that of the monotonic access tree of the encrypted file. Through these modifications, encrypted files can be placed securely on an unsecure server, without fear of malicious users being able to access the files, while allowing each user to have a unique key, reducing the vulnerabilites associated with sharing a key between multiple users. However, due to the fact that CPABE was designed for the purpose of not using trusted servers, key management strategies such as efficient renewal and immediate key revocation are inherently prevented. In turn, this reduces security of the entire scheme, as a user could maliciously keep a key after having an attribute changed or revoked, using the old key to decrypt files that they should not have access to with their new key. Additionally, the original CPABE implementation provided does not discuss the selection of the underlying bilinear pairing which is used as the cryptographic primitive for the scheme. This thesis explores different possibilites for improvement to CPABE, in both the choice of bilinear group used, as well as support for key management that does not rely on proxy servers while minimizing the communication overhead. Through this work, it was found that nonsupersingular elliptic curves can be used for CPABE, and Barreto-Naehrig curves allowed the fastest encryption and key generation in CHARM, but were the slowest curves for decryption due to the large size of the output group. Key management was performed by using a key-insulation method, which provided helper keys which allow keys to be transformed over different time periods, with revocation and renewal through key update. Unfortunately, this does not allow immediate revocation, and revoked keys are still valid until the end of the time period during which they are revoked. Discussion of other key management methods is presented to show that immediate key revocation is difficult without using trusted servers to control access